Re: [SLUG] Restricting access to certain IP addresses with OpenVPN

Tue, 29 Jan 2008 18:00:46 -0800 

On Wed, Jan 30, 2008 at 09:44:33AM +1100, Andre Kolodochka wrote:
> Hi sluggers,
> 
> We have OpenVPN server running internally for employees to access our
> network from home. We have a request from a potential client to access
> some internal demo systems. They are happy to install and use OpenVPN
> client, however I won't be happy giving them the full access to our
> network.
> 
> Hence the question. Is it possible to restrict access for certain
> users only to specific set of IP addresses? So everyone except this
> client will be able to use VPN to access everything on the network as
> usual and potential client will be able to access only boxes on those
> specific IP addresses?
> 
> Thanks in advance,

the relevant lines from teh conf file

client-connect /etc/openvpn/sydlxfw01-up.sh
client-disconnect /etc/openvpn/sydlxfw01-down.sh

I have 1 script and use a sym link to give the above 2
#!/bin/sh

NM="$(basename $0)"


if [ "$NM" = "sydlxfw01-up.sh" ]
then
                IPACTION="replace"
                FWACTION="-I"
fi


if [ $NM = "sydlxfw01-down.sh" ]
then
                IPACTION="delete"
                FWACTION="-D"
fi

iptables $FWACTION OPENVPN -s $ifconfig_pool_remote_ip/32 -m state --state NEW 
-j ACCEPT


if [ ${common_name}"." = "client4." ]
then
                iptables $FWACTION OPENVPN -s $ifconfig_pool_remote_ip/32 -j 
REJECT
                iptables $FWACTION OPENVPN -s $ifconfig_pool_remote_ip/32 -d 
192.168.11.10 -p tcp --dport 22 -j  ACCEPT
fi

exit 0

You need to get the client names which you get from the certificate.

you will also need a chain in iptables which is linked to FORWARD where you can 
add or remove rules - I preferr to do this on a seperate chain than the main 
one

this way you can deny/restrict based on the certificate given out



> 
> -- 
> Andre Kolodochka
> http://www.linkedin.com/in/andrek
> https://www.xing.com/profile/Andre_Kolodochka
> F: +61-2-9475-4774 | M: +61-408-282-138
> Skype: kolodochka
> MSN: [EMAIL PROTECTED]
> -- 
> SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
> Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
> 

-- 
"Part of the facts is understanding we have a problem, and part of the facts is 
what you're going to do about it."

        - George W. Bush
04/15/2005
Kirtland, OH

Attachment: signature.asc
Description: Digital signature

-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Reply via email to